2012-12-24 19:11:57 +00:00
|
|
|
require 'spec_helper'
|
|
|
|
|
2015-02-19 01:53:47 +00:00
|
|
|
describe ApiDefender, type: :request do
|
2012-12-26 15:13:08 +00:00
|
|
|
def get_basic_auth user = @user, by_token = false, by_email = false
|
2012-12-24 19:11:57 +00:00
|
|
|
u,pass = if by_token
|
2012-12-26 14:30:05 +00:00
|
|
|
[user.authentication_token, '']
|
2012-12-26 15:13:08 +00:00
|
|
|
elsif by_email
|
|
|
|
[user.email, @password]
|
2012-12-24 19:11:57 +00:00
|
|
|
else
|
2012-12-26 15:13:08 +00:00
|
|
|
[user.uname, @password]
|
2012-12-24 19:11:57 +00:00
|
|
|
end
|
|
|
|
ActionController::HttpAuthentication::Basic.encode_credentials u, pass
|
|
|
|
end
|
|
|
|
|
2012-12-26 15:13:08 +00:00
|
|
|
def get_request auth_user = nil, by_token = false, by_email = false
|
|
|
|
auth = auth_user ? {'HTTP_AUTHORIZATION' => get_basic_auth(auth_user, by_token, by_email)} : {}
|
2012-12-26 14:42:07 +00:00
|
|
|
get "/api/v1/users/#{@user.id}.json", {}, auth
|
|
|
|
end
|
|
|
|
|
2012-12-26 16:46:32 +00:00
|
|
|
def get_request2 auth_user = nil, by_token = false, by_email = false
|
|
|
|
auth_user = FactoryGirl.create(:user) if !auth_user && APP_CONFIG['anonymous_access'] == false
|
|
|
|
get_request auth_user, by_token, by_email
|
|
|
|
end
|
|
|
|
|
2012-12-24 19:11:57 +00:00
|
|
|
before do
|
2014-03-18 13:54:16 +00:00
|
|
|
stub_symlink_methods
|
2012-12-26 13:07:54 +00:00
|
|
|
@redis = Redis.new
|
2012-12-24 19:11:57 +00:00
|
|
|
@password = '123456'
|
2012-12-26 14:30:05 +00:00
|
|
|
@rate_limit = 3 # dont forget change in max_per_window
|
2012-12-26 13:07:54 +00:00
|
|
|
|
2012-12-26 14:30:05 +00:00
|
|
|
ApiDefender.class_eval("def cache; Redis.new; end; def max_per_window; return #{@rate_limit}; end;")
|
2012-12-24 19:11:57 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
before(:each) do
|
2014-01-21 04:51:49 +00:00
|
|
|
@user = FactoryGirl.create :user, password: @password
|
|
|
|
@system_user = FactoryGirl.create :user, role: 'system'
|
2012-12-24 19:11:57 +00:00
|
|
|
end
|
|
|
|
|
2012-12-26 16:46:32 +00:00
|
|
|
if APP_CONFIG['anonymous_access'] == true
|
|
|
|
context 'for anonymous user' do
|
|
|
|
it "should return the total limit" do
|
|
|
|
get_request
|
|
|
|
response.headers['X-RateLimit-Limit'].should == @rate_limit.to_s
|
|
|
|
end
|
|
|
|
|
|
|
|
it "should return the correct limit usage for anonymous user" do
|
|
|
|
get_request
|
|
|
|
response.headers['X-RateLimit-Remaining'].should == (@rate_limit-1).to_s
|
|
|
|
end
|
|
|
|
|
|
|
|
it "should return the correct limit usage for anonymous user after authenticated access" do
|
|
|
|
get_request @user
|
|
|
|
get_request
|
|
|
|
response.headers['X-RateLimit-Remaining'].should == (@rate_limit-2).to_s
|
|
|
|
end
|
|
|
|
|
|
|
|
it "should forbidden anonymous user after exceeding limit rate" do
|
|
|
|
(@rate_limit+1).times {get_request}
|
|
|
|
response.status.should == 403
|
|
|
|
end
|
2012-12-26 14:35:15 +00:00
|
|
|
end
|
2012-12-26 16:46:32 +00:00
|
|
|
else
|
|
|
|
it "should forbidden anonymous access" do
|
2012-12-26 14:42:07 +00:00
|
|
|
get_request
|
2012-12-26 16:46:32 +00:00
|
|
|
response.status.should == 401
|
2012-12-26 14:35:15 +00:00
|
|
|
end
|
2012-12-24 19:11:57 +00:00
|
|
|
end
|
|
|
|
|
2012-12-26 14:35:15 +00:00
|
|
|
context 'for user' do
|
|
|
|
it "should return the correct limit usage for auth user" do
|
2012-12-26 14:42:07 +00:00
|
|
|
get_request @user
|
2012-12-26 14:35:15 +00:00
|
|
|
response.headers['X-RateLimit-Remaining'].should == (@rate_limit-1).to_s
|
2012-12-26 15:13:08 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
it "should allow auth by uname and password" do
|
2012-12-26 16:46:32 +00:00
|
|
|
(@rate_limit+1).times {get_request2}
|
2012-12-26 15:13:08 +00:00
|
|
|
get_request @user
|
|
|
|
response.headers['X-RateLimit-Remaining'].should == (@rate_limit-1).to_s
|
|
|
|
end
|
|
|
|
|
|
|
|
it "should allow auth by email and password" do
|
2012-12-26 16:46:32 +00:00
|
|
|
(@rate_limit+1).times {get_request2}
|
2012-12-26 15:13:08 +00:00
|
|
|
get_request @user, false, true
|
|
|
|
response.headers['X-RateLimit-Remaining'].should == (@rate_limit-1).to_s
|
|
|
|
end
|
|
|
|
|
|
|
|
it "should allow auth by token" do
|
2012-12-26 16:46:32 +00:00
|
|
|
(@rate_limit+1).times {get_request2}
|
2012-12-26 15:13:08 +00:00
|
|
|
get_request @user, true
|
|
|
|
response.headers['X-RateLimit-Remaining'].should == (@rate_limit-1).to_s
|
2012-12-26 14:35:15 +00:00
|
|
|
end
|
2012-12-26 14:30:05 +00:00
|
|
|
|
2012-12-26 16:46:32 +00:00
|
|
|
it "should return the correct limit usage for auth user after other user" do
|
|
|
|
get_request2
|
2012-12-26 14:42:07 +00:00
|
|
|
get_request @user
|
2012-12-26 14:35:15 +00:00
|
|
|
response.headers['X-RateLimit-Remaining'].should == (@rate_limit-1).to_s
|
|
|
|
end
|
2012-12-26 14:30:05 +00:00
|
|
|
|
2012-12-26 14:35:15 +00:00
|
|
|
it "should forbidden user after exceeding limit rate" do
|
2012-12-26 14:42:07 +00:00
|
|
|
(@rate_limit+1).times {get_request @user}
|
2012-12-26 14:35:15 +00:00
|
|
|
response.status.should == 403
|
|
|
|
end
|
2012-12-26 14:30:05 +00:00
|
|
|
|
2012-12-26 16:46:32 +00:00
|
|
|
it "should not forbidden user after exceeding limit rate of the other user" do
|
|
|
|
(@rate_limit+1).times {get_request2}
|
2012-12-26 14:42:07 +00:00
|
|
|
get_request @user
|
2012-12-26 14:35:15 +00:00
|
|
|
response.status.should == 200
|
|
|
|
end
|
2012-12-26 14:30:05 +00:00
|
|
|
end
|
|
|
|
|
2012-12-26 14:35:15 +00:00
|
|
|
context 'for system user' do
|
|
|
|
it "should not return the limit usage for system user" do
|
2012-12-26 14:42:07 +00:00
|
|
|
get_request @system_user, true
|
2012-12-26 14:35:15 +00:00
|
|
|
response.headers['X-RateLimit-Limit'].should_not == @rate_limit.to_s
|
|
|
|
end
|
2012-12-26 14:30:05 +00:00
|
|
|
|
2012-12-26 14:35:15 +00:00
|
|
|
it "should not forbidden system user" do
|
2012-12-26 14:42:07 +00:00
|
|
|
(@rate_limit+1).times {get_request @system_user, true}
|
2012-12-26 14:35:15 +00:00
|
|
|
response.status.should == 200
|
2012-12-26 14:30:05 +00:00
|
|
|
end
|
2012-12-24 19:11:57 +00:00
|
|
|
end
|
2013-07-04 13:43:35 +01:00
|
|
|
|
2013-07-04 13:44:48 +01:00
|
|
|
context 'for allowed addresses' do
|
2013-07-04 13:43:35 +01:00
|
|
|
let(:remote_addr) { APP_CONFIG['allowed_addresses'].first }
|
2013-07-04 13:44:48 +01:00
|
|
|
it 'should not return the limit usage for allowed address' do
|
2013-07-04 13:43:35 +01:00
|
|
|
get "/api/v1/users/#{@user.id}.json", {}, {'REMOTE_ADDR' => remote_addr }
|
|
|
|
response.headers['X-RateLimit-Limit'].should_not == @rate_limit.to_s
|
|
|
|
end
|
|
|
|
|
2013-07-04 13:44:48 +01:00
|
|
|
it 'should not forbidden allowed address' do
|
2013-07-04 13:43:35 +01:00
|
|
|
(@rate_limit+1).times { get "/api/v1/users/#{@user.id}.json", {}, {'REMOTE_ADDR' => remote_addr } }
|
|
|
|
response.status.should == 200
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2012-12-24 19:11:57 +00:00
|
|
|
end
|